@apiagex/database 0.6.2

package/dist/migrations-additive.d.ts

@@ -0,0 +1,2 @@
+export declare const MVP_ADDITIVE_MIGRATIONS_SQL: readonly ["ALTER TABLE fields ADD COLUMN relation_type TEXT", "ALTER TABLE roles ADD COLUMN role_kind TEXT NOT NULL DEFAULT 'api'", "UPDATE roles SET role_kind = 'admin' WHERE is_owner = 1 OR name IN ('owner', 'admin', 'schema-manager', 'user-manager')", "CREATE TABLE IF NOT EXISTS admin_permissions (\n    id TEXT PRIMARY KEY,\n    role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,\n    action TEXT NOT NULL,\n    allowed INTEGER NOT NULL DEFAULT 0,\n    UNIQUE(role_id, action)\n  )", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_schemas', id, 'schemas', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_entries', id, 'entries', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_apiRoles', id, 'apiRoles', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_apiUsers', id, 'apiUsers', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_settings', id, 'settings', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_schema-manager_schemas', id, 'schemas', 1 FROM roles WHERE name = 'schema-manager' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_schema-manager_entries', id, 'entries', 1 FROM roles WHERE name = 'schema-manager' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_user-manager_apiRoles', id, 'apiRoles', 1 FROM roles WHERE name = 'user-manager' AND role_kind = 'admin'", "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_user-manager_apiUsers', id, 'apiUsers', 1 FROM roles WHERE name = 'user-manager' AND role_kind = 'admin'", "CREATE TABLE IF NOT EXISTS api_tokens (\n    id TEXT PRIMARY KEY,\n    role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,\n    name TEXT NOT NULL,\n    token_hash TEXT NOT NULL UNIQUE,\n    token_prefix TEXT NOT NULL,\n    created_at TEXT NOT NULL,\n    last_used_at TEXT,\n    revoked_at TEXT\n  )", "CREATE TABLE IF NOT EXISTS webhooks (\n    id TEXT PRIMARY KEY,\n    name TEXT NOT NULL,\n    url TEXT NOT NULL,\n    secret TEXT NOT NULL,\n    events_json TEXT NOT NULL,\n    schema_id TEXT REFERENCES schemas(id) ON DELETE SET NULL,\n    active INTEGER NOT NULL DEFAULT 1,\n    created_at TEXT NOT NULL,\n    updated_at TEXT NOT NULL\n  )", "CREATE TABLE IF NOT EXISTS webhook_events (\n    id TEXT PRIMARY KEY,\n    event_type TEXT NOT NULL,\n    schema_id TEXT NOT NULL,\n    schema_slug TEXT NOT NULL,\n    entry_id TEXT NOT NULL,\n    payload_json TEXT NOT NULL,\n    status TEXT NOT NULL DEFAULT 'pending',\n    attempts INTEGER NOT NULL DEFAULT 0,\n    next_retry_at TEXT,\n    created_at TEXT NOT NULL,\n    updated_at TEXT NOT NULL\n  )", "CREATE TABLE IF NOT EXISTS webhook_deliveries (\n    id TEXT PRIMARY KEY,\n    event_id TEXT NOT NULL REFERENCES webhook_events(id) ON DELETE CASCADE,\n    webhook_id TEXT NOT NULL REFERENCES webhooks(id) ON DELETE CASCADE,\n    url TEXT NOT NULL,\n    status TEXT NOT NULL,\n    status_code INTEGER,\n    response_body TEXT,\n    error TEXT,\n    attempt INTEGER NOT NULL,\n    created_at TEXT NOT NULL,\n    next_retry_at TEXT\n  )", "CREATE TABLE IF NOT EXISTS realtime_configs (schema_id TEXT PRIMARY KEY REFERENCES schemas(id) ON DELETE CASCADE, enabled INTEGER NOT NULL DEFAULT 0, events_json TEXT NOT NULL, created_at TEXT NOT NULL, updated_at TEXT NOT NULL)", "CREATE TABLE IF NOT EXISTS realtime_events (sequence INTEGER PRIMARY KEY AUTOINCREMENT, id TEXT NOT NULL UNIQUE, message_id TEXT NOT NULL UNIQUE, event_type TEXT NOT NULL, schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE, schema_slug TEXT NOT NULL, entry_id TEXT NOT NULL, entry_json TEXT NOT NULL, occurred_at TEXT NOT NULL, created_at TEXT NOT NULL)", "CREATE TABLE IF NOT EXISTS realtime_sessions (id TEXT PRIMARY KEY, token_hash TEXT NOT NULL UNIQUE, token_prefix TEXT NOT NULL, role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE, schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE, schema_slug TEXT NOT NULL, created_at TEXT NOT NULL, expires_at TEXT NOT NULL, used_at TEXT)"];
+//# sourceMappingURL=migrations-additive.d.ts.map

package/dist/migrations-additive.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrations-additive.d.ts","sourceRoot":"","sources":["../src/migrations-additive.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,2BAA2B,knJAsE9B,CAAC"}

package/dist/migrations-additive.js

@@ -0,0 +1,71 @@
+export const MVP_ADDITIVE_MIGRATIONS_SQL = [
+    "ALTER TABLE fields ADD COLUMN relation_type TEXT",
+    "ALTER TABLE roles ADD COLUMN role_kind TEXT NOT NULL DEFAULT 'api'",
+    "UPDATE roles SET role_kind = 'admin' WHERE is_owner = 1 OR name IN ('owner', 'admin', 'schema-manager', 'user-manager')",
+    `CREATE TABLE IF NOT EXISTS admin_permissions (
+    id TEXT PRIMARY KEY,
+    role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+    action TEXT NOT NULL,
+    allowed INTEGER NOT NULL DEFAULT 0,
+    UNIQUE(role_id, action)
+  )`,
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_schemas', id, 'schemas', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_entries', id, 'entries', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_apiRoles', id, 'apiRoles', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_apiUsers', id, 'apiUsers', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_admin_settings', id, 'settings', 1 FROM roles WHERE name = 'admin' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_schema-manager_schemas', id, 'schemas', 1 FROM roles WHERE name = 'schema-manager' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_schema-manager_entries', id, 'entries', 1 FROM roles WHERE name = 'schema-manager' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_user-manager_apiRoles', id, 'apiRoles', 1 FROM roles WHERE name = 'user-manager' AND role_kind = 'admin'",
+    "INSERT OR IGNORE INTO admin_permissions (id, role_id, action, allowed) SELECT 'admin_permission_user-manager_apiUsers', id, 'apiUsers', 1 FROM roles WHERE name = 'user-manager' AND role_kind = 'admin'",
+    `CREATE TABLE IF NOT EXISTS api_tokens (
+    id TEXT PRIMARY KEY,
+    role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+    name TEXT NOT NULL,
+    token_hash TEXT NOT NULL UNIQUE,
+    token_prefix TEXT NOT NULL,
+    created_at TEXT NOT NULL,
+    last_used_at TEXT,
+    revoked_at TEXT
+  )`,
+    `CREATE TABLE IF NOT EXISTS webhooks (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    url TEXT NOT NULL,
+    secret TEXT NOT NULL,
+    events_json TEXT NOT NULL,
+    schema_id TEXT REFERENCES schemas(id) ON DELETE SET NULL,
+    active INTEGER NOT NULL DEFAULT 1,
+    created_at TEXT NOT NULL,
+    updated_at TEXT NOT NULL
+  )`,
+    `CREATE TABLE IF NOT EXISTS webhook_events (
+    id TEXT PRIMARY KEY,
+    event_type TEXT NOT NULL,
+    schema_id TEXT NOT NULL,
+    schema_slug TEXT NOT NULL,
+    entry_id TEXT NOT NULL,
+    payload_json TEXT NOT NULL,
+    status TEXT NOT NULL DEFAULT 'pending',
+    attempts INTEGER NOT NULL DEFAULT 0,
+    next_retry_at TEXT,
+    created_at TEXT NOT NULL,
+    updated_at TEXT NOT NULL
+  )`,
+    `CREATE TABLE IF NOT EXISTS webhook_deliveries (
+    id TEXT PRIMARY KEY,
+    event_id TEXT NOT NULL REFERENCES webhook_events(id) ON DELETE CASCADE,
+    webhook_id TEXT NOT NULL REFERENCES webhooks(id) ON DELETE CASCADE,
+    url TEXT NOT NULL,
+    status TEXT NOT NULL,
+    status_code INTEGER,
+    response_body TEXT,
+    error TEXT,
+    attempt INTEGER NOT NULL,
+    created_at TEXT NOT NULL,
+    next_retry_at TEXT
+  )`,
+    `CREATE TABLE IF NOT EXISTS realtime_configs (schema_id TEXT PRIMARY KEY REFERENCES schemas(id) ON DELETE CASCADE, enabled INTEGER NOT NULL DEFAULT 0, events_json TEXT NOT NULL, created_at TEXT NOT NULL, updated_at TEXT NOT NULL)`,
+    `CREATE TABLE IF NOT EXISTS realtime_events (sequence INTEGER PRIMARY KEY AUTOINCREMENT, id TEXT NOT NULL UNIQUE, message_id TEXT NOT NULL UNIQUE, event_type TEXT NOT NULL, schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE, schema_slug TEXT NOT NULL, entry_id TEXT NOT NULL, entry_json TEXT NOT NULL, occurred_at TEXT NOT NULL, created_at TEXT NOT NULL)`,
+    `CREATE TABLE IF NOT EXISTS realtime_sessions (id TEXT PRIMARY KEY, token_hash TEXT NOT NULL UNIQUE, token_prefix TEXT NOT NULL, role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE, schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE, schema_slug TEXT NOT NULL, created_at TEXT NOT NULL, expires_at TEXT NOT NULL, used_at TEXT)`,
+];

package/dist/migrations.d.ts

@@ -0,0 +1,5 @@
+export declare const MVP_MIGRATION_ID = "001_mvp_foundation";
+export { MVP_ADDITIVE_MIGRATIONS_SQL } from "./migrations-additive.js";
+export declare const MVP_TABLES: readonly ["migrations", "roles", "users", "schemas", "fields", "entries", "permissions", "admin_permissions", "api_tokens", "webhooks", "webhook_events", "webhook_deliveries", "realtime_configs", "realtime_events", "realtime_sessions"];
+export declare const MVP_FOUNDATION_SQL = "\nCREATE TABLE IF NOT EXISTS migrations (\n  id TEXT PRIMARY KEY,\n  applied_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS roles (\n  id TEXT PRIMARY KEY,\n  name TEXT NOT NULL UNIQUE,\n  description TEXT NOT NULL DEFAULT '',\n  is_owner INTEGER NOT NULL DEFAULT 0,\n  role_kind TEXT NOT NULL DEFAULT 'api',\n  created_at TEXT NOT NULL,\n  updated_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS users (\n  id TEXT PRIMARY KEY,\n  email TEXT NOT NULL UNIQUE,\n  password_hash TEXT NOT NULL,\n  role_id TEXT NOT NULL REFERENCES roles(id),\n  created_at TEXT NOT NULL,\n  updated_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS schemas (\n  id TEXT PRIMARY KEY,\n  name TEXT NOT NULL,\n  slug TEXT NOT NULL UNIQUE,\n  description TEXT NOT NULL DEFAULT '',\n  created_at TEXT NOT NULL,\n  updated_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS fields (\n  id TEXT PRIMARY KEY,\n  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,\n  name TEXT NOT NULL,\n  slug TEXT NOT NULL,\n  type TEXT NOT NULL,\n  relation_schema_id TEXT REFERENCES schemas(id),\n  relation_type TEXT,\n  required INTEGER NOT NULL DEFAULT 0,\n  position INTEGER NOT NULL,\n  UNIQUE(schema_id, slug)\n);\n\nCREATE TABLE IF NOT EXISTS entries (\n  id TEXT PRIMARY KEY,\n  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,\n  data_json TEXT NOT NULL,\n  created_at TEXT NOT NULL,\n  updated_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS permissions (\n  id TEXT PRIMARY KEY,\n  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,\n  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,\n  action TEXT NOT NULL,\n  allowed INTEGER NOT NULL DEFAULT 0,\n  UNIQUE(role_id, schema_id, action)\n);\n\nCREATE TABLE IF NOT EXISTS admin_permissions (\n  id TEXT PRIMARY KEY,\n  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,\n  action TEXT NOT NULL,\n  allowed INTEGER NOT NULL DEFAULT 0,\n  UNIQUE(role_id, action)\n);\n\nCREATE TABLE IF NOT EXISTS api_tokens (\n  id TEXT PRIMARY KEY,\n  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,\n  name TEXT NOT NULL,\n  token_hash TEXT NOT NULL UNIQUE,\n  token_prefix TEXT NOT NULL,\n  created_at TEXT NOT NULL,\n  last_used_at TEXT,\n  revoked_at TEXT\n);\n\nCREATE TABLE IF NOT EXISTS webhooks (\n  id TEXT PRIMARY KEY,\n  name TEXT NOT NULL,\n  url TEXT NOT NULL,\n  secret TEXT NOT NULL,\n  events_json TEXT NOT NULL,\n  schema_id TEXT REFERENCES schemas(id) ON DELETE SET NULL,\n  active INTEGER NOT NULL DEFAULT 1,\n  created_at TEXT NOT NULL,\n  updated_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS webhook_events (\n  id TEXT PRIMARY KEY,\n  event_type TEXT NOT NULL,\n  schema_id TEXT NOT NULL,\n  schema_slug TEXT NOT NULL,\n  entry_id TEXT NOT NULL,\n  payload_json TEXT NOT NULL,\n  status TEXT NOT NULL DEFAULT 'pending',\n  attempts INTEGER NOT NULL DEFAULT 0,\n  next_retry_at TEXT,\n  created_at TEXT NOT NULL,\n  updated_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS webhook_deliveries (\n  id TEXT PRIMARY KEY,\n  event_id TEXT NOT NULL REFERENCES webhook_events(id) ON DELETE CASCADE,\n  webhook_id TEXT NOT NULL REFERENCES webhooks(id) ON DELETE CASCADE,\n  url TEXT NOT NULL,\n  status TEXT NOT NULL,\n  status_code INTEGER,\n  response_body TEXT,\n  error TEXT,\n  attempt INTEGER NOT NULL,\n  created_at TEXT NOT NULL,\n  next_retry_at TEXT\n);\n\nCREATE TABLE IF NOT EXISTS realtime_configs (\n  schema_id TEXT PRIMARY KEY REFERENCES schemas(id) ON DELETE CASCADE,\n  enabled INTEGER NOT NULL DEFAULT 0,\n  events_json TEXT NOT NULL,\n  created_at TEXT NOT NULL,\n  updated_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS realtime_events (\n  sequence INTEGER PRIMARY KEY AUTOINCREMENT,\n  id TEXT NOT NULL UNIQUE,\n  message_id TEXT NOT NULL UNIQUE,\n  event_type TEXT NOT NULL,\n  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,\n  schema_slug TEXT NOT NULL,\n  entry_id TEXT NOT NULL,\n  entry_json TEXT NOT NULL,\n  occurred_at TEXT NOT NULL,\n  created_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS realtime_sessions (\n  id TEXT PRIMARY KEY,\n  token_hash TEXT NOT NULL UNIQUE,\n  token_prefix TEXT NOT NULL,\n  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,\n  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,\n  schema_slug TEXT NOT NULL,\n  created_at TEXT NOT NULL,\n  expires_at TEXT NOT NULL,\n  used_at TEXT\n);\n";
+//# sourceMappingURL=migrations.d.ts.map

package/dist/migrations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrations.d.ts","sourceRoot":"","sources":["../src/migrations.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AAErD,OAAO,EAAE,2BAA2B,EAAE,MAAM,0BAA0B,CAAC;AAEvE,eAAO,MAAM,UAAU,6OAgBb,CAAC;AAEX,eAAO,MAAM,kBAAkB,60IA2J9B,CAAC"}

package/dist/migrations.js

@@ -0,0 +1,175 @@
+export const MVP_MIGRATION_ID = "001_mvp_foundation";
+export { MVP_ADDITIVE_MIGRATIONS_SQL } from "./migrations-additive.js";
+export const MVP_TABLES = [
+    "migrations",
+    "roles",
+    "users",
+    "schemas",
+    "fields",
+    "entries",
+    "permissions",
+    "admin_permissions",
+    "api_tokens",
+    "webhooks",
+    "webhook_events",
+    "webhook_deliveries",
+    "realtime_configs",
+    "realtime_events",
+    "realtime_sessions",
+];
+export const MVP_FOUNDATION_SQL = `
+CREATE TABLE IF NOT EXISTS migrations (
+  id TEXT PRIMARY KEY,
+  applied_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS roles (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL UNIQUE,
+  description TEXT NOT NULL DEFAULT '',
+  is_owner INTEGER NOT NULL DEFAULT 0,
+  role_kind TEXT NOT NULL DEFAULT 'api',
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS users (
+  id TEXT PRIMARY KEY,
+  email TEXT NOT NULL UNIQUE,
+  password_hash TEXT NOT NULL,
+  role_id TEXT NOT NULL REFERENCES roles(id),
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS schemas (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  slug TEXT NOT NULL UNIQUE,
+  description TEXT NOT NULL DEFAULT '',
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS fields (
+  id TEXT PRIMARY KEY,
+  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  slug TEXT NOT NULL,
+  type TEXT NOT NULL,
+  relation_schema_id TEXT REFERENCES schemas(id),
+  relation_type TEXT,
+  required INTEGER NOT NULL DEFAULT 0,
+  position INTEGER NOT NULL,
+  UNIQUE(schema_id, slug)
+);
+
+CREATE TABLE IF NOT EXISTS entries (
+  id TEXT PRIMARY KEY,
+  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,
+  data_json TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permissions (
+  id TEXT PRIMARY KEY,
+  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,
+  action TEXT NOT NULL,
+  allowed INTEGER NOT NULL DEFAULT 0,
+  UNIQUE(role_id, schema_id, action)
+);
+
+CREATE TABLE IF NOT EXISTS admin_permissions (
+  id TEXT PRIMARY KEY,
+  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+  action TEXT NOT NULL,
+  allowed INTEGER NOT NULL DEFAULT 0,
+  UNIQUE(role_id, action)
+);
+
+CREATE TABLE IF NOT EXISTS api_tokens (
+  id TEXT PRIMARY KEY,
+  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  token_hash TEXT NOT NULL UNIQUE,
+  token_prefix TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  last_used_at TEXT,
+  revoked_at TEXT
+);
+
+CREATE TABLE IF NOT EXISTS webhooks (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  url TEXT NOT NULL,
+  secret TEXT NOT NULL,
+  events_json TEXT NOT NULL,
+  schema_id TEXT REFERENCES schemas(id) ON DELETE SET NULL,
+  active INTEGER NOT NULL DEFAULT 1,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS webhook_events (
+  id TEXT PRIMARY KEY,
+  event_type TEXT NOT NULL,
+  schema_id TEXT NOT NULL,
+  schema_slug TEXT NOT NULL,
+  entry_id TEXT NOT NULL,
+  payload_json TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  attempts INTEGER NOT NULL DEFAULT 0,
+  next_retry_at TEXT,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS webhook_deliveries (
+  id TEXT PRIMARY KEY,
+  event_id TEXT NOT NULL REFERENCES webhook_events(id) ON DELETE CASCADE,
+  webhook_id TEXT NOT NULL REFERENCES webhooks(id) ON DELETE CASCADE,
+  url TEXT NOT NULL,
+  status TEXT NOT NULL,
+  status_code INTEGER,
+  response_body TEXT,
+  error TEXT,
+  attempt INTEGER NOT NULL,
+  created_at TEXT NOT NULL,
+  next_retry_at TEXT
+);
+
+CREATE TABLE IF NOT EXISTS realtime_configs (
+  schema_id TEXT PRIMARY KEY REFERENCES schemas(id) ON DELETE CASCADE,
+  enabled INTEGER NOT NULL DEFAULT 0,
+  events_json TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS realtime_events (
+  sequence INTEGER PRIMARY KEY AUTOINCREMENT,
+  id TEXT NOT NULL UNIQUE,
+  message_id TEXT NOT NULL UNIQUE,
+  event_type TEXT NOT NULL,
+  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,
+  schema_slug TEXT NOT NULL,
+  entry_id TEXT NOT NULL,
+  entry_json TEXT NOT NULL,
+  occurred_at TEXT NOT NULL,
+  created_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS realtime_sessions (
+  id TEXT PRIMARY KEY,
+  token_hash TEXT NOT NULL UNIQUE,
+  token_prefix TEXT NOT NULL,
+  role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+  schema_id TEXT NOT NULL REFERENCES schemas(id) ON DELETE CASCADE,
+  schema_slug TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  expires_at TEXT NOT NULL,
+  used_at TEXT
+);
+`;

package/dist/permission-repository.d.ts

@@ -0,0 +1,6 @@
+import type { SqliteDatabase } from "./sqlite.js";
+import type { PermissionAction, PermissionRecord, SetPermissionInput } from "./permission-repository.type.js";
+export declare function setPermission(db: SqliteDatabase, input: SetPermissionInput): PermissionRecord;
+export declare function listRolePermissions(db: SqliteDatabase, roleId: string): PermissionRecord[];
+export declare function canRoleAccess(db: SqliteDatabase, roleId: string, schemaId: string, action: PermissionAction): boolean;
+//# sourceMappingURL=permission-repository.d.ts.map

package/dist/permission-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-repository.d.ts","sourceRoot":"","sources":["../src/permission-repository.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAGlD,OAAO,KAAK,EACV,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,iCAAiC,CAAC;AAazC,wBAAgB,aAAa,CAC3B,EAAE,EAAE,cAAc,EAClB,KAAK,EAAE,kBAAkB,GACxB,gBAAgB,CAelB;AAED,wBAAgB,mBAAmB,CACjC,EAAE,EAAE,cAAc,EAClB,MAAM,EAAE,MAAM,GACb,gBAAgB,EAAE,CAKpB;AAED,wBAAgB,aAAa,CAC3B,EAAE,EAAE,cAAc,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAQT"}

package/dist/permission-repository.js

@@ -0,0 +1,80 @@
+import { randomUUID } from "node:crypto";
+import { getRoleById } from "./role-repository.js";
+import { getSchemaById } from "./schema-repository.js";
+const permissionActions = [
+    "getAll",
+    "get",
+    "create",
+    "update",
+    "delete",
+    "manage",
+];
+export function setPermission(db, input) {
+    validatePermissionInput(db, input);
+    const existing = findPermission(db, input.roleId, input.schemaId, input.action);
+    if (existing) {
+        db.prepare("UPDATE permissions SET allowed = ? WHERE id = ?").run(input.allowed ? 1 : 0, existing.id);
+        return requirePermission(db, existing.id);
+    }
+    const id = randomUUID();
+    db.prepare("INSERT INTO permissions (id, role_id, schema_id, action, allowed) VALUES (?, ?, ?, ?, ?)").run(id, input.roleId, input.schemaId, input.action, input.allowed ? 1 : 0);
+    return requirePermission(db, id);
+}
+export function listRolePermissions(db, roleId) {
+    const rows = db
+        .prepare(permissionSelectSql("WHERE role_id = ? ORDER BY schema_id ASC, action ASC"))
+        .all(roleId);
+    return rows.map(rowToPermission);
+}
+export function canRoleAccess(db, roleId, schemaId, action) {
+    const role = getRoleById(db, roleId);
+    if (!role)
+        return false;
+    if (role.roleKind !== "api")
+        return false;
+    const manage = findPermission(db, roleId, schemaId, "manage");
+    if (manage?.allowed)
+        return true;
+    const permission = findPermission(db, roleId, schemaId, action);
+    return Boolean(permission?.allowed);
+}
+function validatePermissionInput(db, input) {
+    if (!permissionActions.includes(input.action)) {
+        throw new Error("PERMISSION_ACTION_INVALID");
+    }
+    const role = getRoleById(db, input.roleId);
+    if (!role) {
+        throw new Error("ROLE_NOT_FOUND");
+    }
+    if (role.roleKind !== "api") {
+        throw new Error("ROLE_API_REQUIRED");
+    }
+    if (!getSchemaById(db, input.schemaId)) {
+        throw new Error("SCHEMA_NOT_FOUND");
+    }
+}
+function findPermission(db, roleId, schemaId, action) {
+    const row = db
+        .prepare(permissionSelectSql("WHERE role_id = ? AND schema_id = ? AND action = ?"))
+        .get(roleId, schemaId, action);
+    return row ? rowToPermission(row) : undefined;
+}
+function requirePermission(db, id) {
+    const row = db.prepare(permissionSelectSql("WHERE id = ?")).get(id);
+    if (!row) {
+        throw new Error("PERMISSION_NOT_FOUND");
+    }
+    return rowToPermission(row);
+}
+function rowToPermission(row) {
+    return {
+        id: row.id,
+        roleId: row.roleId,
+        schemaId: row.schemaId,
+        action: row.action,
+        allowed: Boolean(row.allowed),
+    };
+}
+function permissionSelectSql(suffix) {
+    return `SELECT id, role_id as roleId, schema_id as schemaId, action, allowed FROM permissions ${suffix}`;
+}

package/dist/permission-repository.type.d.ts

@@ -0,0 +1,11 @@
+export type PermissionAction = "getAll" | "get" | "create" | "update" | "delete" | "manage";
+export type SetPermissionInput = {
+    roleId: string;
+    schemaId: string;
+    action: PermissionAction;
+    allowed: boolean;
+};
+export type PermissionRecord = SetPermissionInput & {
+    id: string;
+};
+//# sourceMappingURL=permission-repository.type.d.ts.map

package/dist/permission-repository.type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-repository.type.d.ts","sourceRoot":"","sources":["../src/permission-repository.type.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE5F,MAAM,MAAM,kBAAkB,GAAG;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,gBAAgB,CAAC;IACzB,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG,kBAAkB,GAAG;IAClD,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC"}

package/dist/permission-repository.type.js

@@ -0,0 +1 @@
+export {};

package/dist/realtime-repository.d.ts

@@ -0,0 +1,12 @@
+import type { SqliteDatabase } from "./sqlite.js";
+import type { RealtimeEventRecord, RealtimeConfigRecord, RealtimeEventType, RecordRealtimeEventInput, SetRealtimeConfigInput } from "./realtime-repository.type.js";
+export declare function listRealtimeConfigs(db: SqliteDatabase): RealtimeConfigRecord[];
+export declare function listRealtimeSettings(db: SqliteDatabase): RealtimeConfigRecord[];
+export declare function getRealtimeConfig(db: SqliteDatabase, schemaId: string): RealtimeConfigRecord | undefined;
+export declare function setRealtimeConfig(db: SqliteDatabase, input: SetRealtimeConfigInput): RealtimeConfigRecord;
+export declare function isRealtimeEventEnabled(db: SqliteDatabase, schemaId: string, event: RealtimeEventType): boolean;
+export declare function recordRealtimeEvent(db: SqliteDatabase, input: RecordRealtimeEventInput): RealtimeEventRecord;
+export declare function listRealtimeEventsAfter(db: SqliteDatabase, schemaId: string, lastEventId: string, limit?: number): RealtimeEventRecord[];
+export declare function listRecentRealtimeEvents(db: SqliteDatabase, limit?: number): RealtimeEventRecord[];
+export declare function pruneRealtimeEvents(db: SqliteDatabase, schemaId: string, keepLatest?: number): number;
+//# sourceMappingURL=realtime-repository.d.ts.map

package/dist/realtime-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"realtime-repository.d.ts","sourceRoot":"","sources":["../src/realtime-repository.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,OAAO,KAAK,EACV,mBAAmB,EACnB,oBAAoB,EACpB,iBAAiB,EACjB,wBAAwB,EACxB,sBAAsB,EACvB,MAAM,+BAA+B,CAAC;AAevC,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,cAAc,GAAG,oBAAoB,EAAE,CAG9E;AAED,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,cAAc,GAAG,oBAAoB,EAAE,CAY/E;AAED,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,GAAG,oBAAoB,GAAG,SAAS,CAGxG;AAED,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,sBAAsB,GAAG,oBAAoB,CAYzG;AAED,wBAAgB,sBAAsB,CAAC,EAAE,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAG9G;AAED,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,wBAAwB,GAAG,mBAAmB,CAU5G;AAED,wBAAgB,uBAAuB,CACrC,EAAE,EAAE,cAAc,EAClB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,KAAK,SAAK,GACT,mBAAmB,EAAE,CAOvB;AAED,wBAAgB,wBAAwB,CAAC,EAAE,EAAE,cAAc,EAAE,KAAK,SAAK,GAAG,mBAAmB,EAAE,CAI9F;AAED,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,SAAO,GAAG,MAAM,CAanG"}

package/dist/realtime-repository.js

@@ -0,0 +1,98 @@
+import { randomUUID } from "node:crypto";
+import { getSchemaById, listSchemas } from "./schema-repository.js";
+const allowedEvents = new Set(["entry.created", "entry.updated", "entry.deleted"]);
+export function listRealtimeConfigs(db) {
+    const rows = db.prepare(realtimeSelectSql("ORDER BY updated_at DESC")).all();
+    return rows.map(rowToRealtimeConfig);
+}
+export function listRealtimeSettings(db) {
+    const configs = new Map(listRealtimeConfigs(db).map((config) => [config.schemaId, config]));
+    const now = new Date().toISOString();
+    return listSchemas(db).map((schema) => configs.get(schema.id) ?? {
+        schemaId: schema.id,
+        enabled: false,
+        events: ["entry.created", "entry.updated", "entry.deleted"],
+        createdAt: now,
+        updatedAt: now,
+    });
+}
+export function getRealtimeConfig(db, schemaId) {
+    const row = db.prepare(realtimeSelectSql("WHERE schema_id = ?")).get(schemaId);
+    return row ? rowToRealtimeConfig(row) : undefined;
+}
+export function setRealtimeConfig(db, input) {
+    const events = normalizeEvents(input.events);
+    if (!getSchemaById(db, input.schemaId))
+        throw new Error("SCHEMA_NOT_FOUND");
+    const now = new Date().toISOString();
+    db.prepare(`INSERT INTO realtime_configs (schema_id, enabled, events_json, created_at, updated_at)
+     VALUES (?, ?, ?, ?, ?)
+     ON CONFLICT(schema_id) DO UPDATE SET enabled = excluded.enabled,
+       events_json = excluded.events_json,
+       updated_at = excluded.updated_at`).run(input.schemaId, input.enabled ? 1 : 0, JSON.stringify(events), now, now);
+    return getRealtimeConfig(db, input.schemaId);
+}
+export function isRealtimeEventEnabled(db, schemaId, event) {
+    const config = getRealtimeConfig(db, schemaId);
+    return Boolean(config?.enabled && config.events.includes(event));
+}
+export function recordRealtimeEvent(db, input) {
+    const now = new Date().toISOString();
+    const id = `rte_${randomUUID()}`;
+    const messageId = `rtm_${randomUUID()}`;
+    db.prepare(`INSERT INTO realtime_events
+      (id, message_id, event_type, schema_id, schema_slug, entry_id, entry_json, occurred_at, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(id, messageId, input.eventType, input.schemaId, input.schemaSlug, input.entry.id, JSON.stringify(input.entry), now, now);
+    return rowToRealtimeEvent(db.prepare(realtimeEventSelectSql("WHERE id = ?")).get(id));
+}
+export function listRealtimeEventsAfter(db, schemaId, lastEventId, limit = 50) {
+    const last = db.prepare("SELECT sequence FROM realtime_events WHERE id = ? AND schema_id = ?")
+        .get(lastEventId, schemaId);
+    if (!last)
+        return [];
+    const rows = db.prepare(realtimeEventSelectSql("WHERE schema_id = ? AND sequence > ? ORDER BY sequence ASC LIMIT ?"))
+        .all(schemaId, last.sequence, Math.max(1, Math.min(limit, 100)));
+    return rows.map(rowToRealtimeEvent);
+}
+export function listRecentRealtimeEvents(db, limit = 25) {
+    const rows = db.prepare(realtimeEventSelectSql("ORDER BY sequence DESC LIMIT ?"))
+        .all(Math.max(1, Math.min(limit, 100)));
+    return rows.map(rowToRealtimeEvent);
+}
+export function pruneRealtimeEvents(db, schemaId, keepLatest = 1000) {
+    const keep = Math.max(1, keepLatest);
+    const result = db.prepare(`DELETE FROM realtime_events
+     WHERE schema_id = ?
+       AND sequence NOT IN (
+         SELECT sequence FROM realtime_events
+         WHERE schema_id = ?
+         ORDER BY sequence DESC
+         LIMIT ?
+       )`).run(schemaId, schemaId, keep);
+    return result.changes;
+}
+function normalizeEvents(events) {
+    const unique = [...new Set(events)];
+    if (unique.length === 0 || unique.some((event) => !allowedEvents.has(event))) {
+        throw new Error("REALTIME_EVENTS_INVALID");
+    }
+    return unique;
+}
+function rowToRealtimeConfig(row) {
+    const { eventsJson: _eventsJson, ...record } = row;
+    return {
+        ...record,
+        enabled: Boolean(row.enabled),
+        events: JSON.parse(row.eventsJson),
+    };
+}
+function realtimeSelectSql(suffix) {
+    return `SELECT schema_id as schemaId, enabled, events_json as eventsJson, created_at as createdAt, updated_at as updatedAt FROM realtime_configs ${suffix}`;
+}
+function rowToRealtimeEvent(row) {
+    const { entryJson: _entryJson, sequence: _sequence, ...record } = row;
+    return { ...record, entry: JSON.parse(row.entryJson) };
+}
+function realtimeEventSelectSql(suffix) {
+    return `SELECT sequence, id, message_id as messageId, event_type as eventType, schema_id as schemaId, schema_slug as schemaSlug, entry_id as entryId, entry_json as entryJson, occurred_at as occurredAt, created_at as createdAt FROM realtime_events ${suffix}`;
+}

package/dist/realtime-repository.type.d.ts

@@ -0,0 +1,33 @@
+import type { WebhookEventType } from "./webhook-repository.type.js";
+import type { EntryRecord } from "./entry-repository.type.js";
+export type RealtimeEventType = WebhookEventType;
+export type RealtimeConfigRecord = {
+    schemaId: string;
+    enabled: boolean;
+    events: RealtimeEventType[];
+    createdAt: string;
+    updatedAt: string;
+};
+export type SetRealtimeConfigInput = {
+    schemaId: string;
+    enabled: boolean;
+    events: RealtimeEventType[];
+};
+export type RealtimeEventRecord = {
+    id: string;
+    messageId: string;
+    eventType: RealtimeEventType;
+    schemaId: string;
+    schemaSlug: string;
+    entryId: string;
+    entry: EntryRecord;
+    occurredAt: string;
+    createdAt: string;
+};
+export type RecordRealtimeEventInput = {
+    eventType: RealtimeEventType;
+    schemaId: string;
+    schemaSlug: string;
+    entry: EntryRecord;
+};
+//# sourceMappingURL=realtime-repository.type.d.ts.map

package/dist/realtime-repository.type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"realtime-repository.type.d.ts","sourceRoot":"","sources":["../src/realtime-repository.type.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAE9D,MAAM,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAEjD,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,iBAAiB,EAAE,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,WAAW,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,SAAS,EAAE,iBAAiB,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,WAAW,CAAC;CACpB,CAAC"}

package/dist/realtime-repository.type.js

@@ -0,0 +1 @@
+export {};

package/dist/realtime-session-repository.d.ts

@@ -0,0 +1,5 @@
+import type { SqliteDatabase } from "./sqlite.js";
+import type { CreatedRealtimeSession, CreateRealtimeSessionInput, RealtimeSessionRecord } from "./realtime-session-repository.type.js";
+export declare function createRealtimeSession(db: SqliteDatabase, input: CreateRealtimeSessionInput): CreatedRealtimeSession;
+export declare function consumeRealtimeSession(db: SqliteDatabase, token: string, schemaSlug: string, now?: Date): RealtimeSessionRecord | undefined;
+//# sourceMappingURL=realtime-session-repository.d.ts.map

package/dist/realtime-session-repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"realtime-session-repository.d.ts","sourceRoot":"","sources":["../src/realtime-session-repository.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EACV,sBAAsB,EACtB,0BAA0B,EAC1B,qBAAqB,EACtB,MAAM,uCAAuC,CAAC;AAI/C,wBAAgB,qBAAqB,CAAC,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,0BAA0B,GAAG,sBAAsB,CAoBnH;AAED,wBAAgB,sBAAsB,CACpC,EAAE,EAAE,cAAc,EAClB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,GAAG,OAAa,GACf,qBAAqB,GAAG,SAAS,CAQnC"}

package/dist/realtime-session-repository.js

@@ -0,0 +1,38 @@
+import { createHash, randomBytes, randomUUID } from "node:crypto";
+export function createRealtimeSession(db, input) {
+    const now = new Date();
+    const ttlSeconds = Math.max(30, Math.min(input.ttlSeconds ?? 300, 900));
+    const token = `rt_${randomBytes(32).toString("base64url")}`;
+    const id = randomUUID();
+    db.prepare(`INSERT INTO realtime_sessions
+      (id, token_hash, token_prefix, role_id, schema_id, schema_slug, created_at, expires_at, used_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, NULL)`).run(id, hashToken(token), token.slice(0, 12), input.roleId, input.schemaId, input.schemaSlug, now.toISOString(), new Date(now.getTime() + ttlSeconds * 1000).toISOString());
+    return { token, session: requireRealtimeSession(db, id) };
+}
+export function consumeRealtimeSession(db, token, schemaSlug, now = new Date()) {
+    const row = db.prepare(sessionSelectSql("WHERE token_hash = ? AND schema_slug = ?"))
+        .get(hashToken(token), schemaSlug);
+    if (!row || row.usedAt || Date.parse(row.expiresAt) <= now.getTime())
+        return undefined;
+    const result = db.prepare("UPDATE realtime_sessions SET used_at = ? WHERE id = ? AND used_at IS NULL")
+        .run(now.toISOString(), row.id);
+    if (result.changes !== 1)
+        return undefined;
+    return getRealtimeSessionById(db, row.id);
+}
+function getRealtimeSessionById(db, id) {
+    const row = db.prepare(sessionSelectSql("WHERE id = ?")).get(id);
+    return row;
+}
+function requireRealtimeSession(db, id) {
+    const session = getRealtimeSessionById(db, id);
+    if (!session)
+        throw new Error("REALTIME_SESSION_NOT_FOUND");
+    return session;
+}
+function hashToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+function sessionSelectSql(suffix) {
+    return `SELECT id, token_prefix as tokenPrefix, role_id as roleId, schema_id as schemaId, schema_slug as schemaSlug, created_at as createdAt, expires_at as expiresAt, used_at as usedAt FROM realtime_sessions ${suffix}`;
+}

package/dist/realtime-session-repository.type.d.ts

@@ -0,0 +1,21 @@
+export type RealtimeSessionRecord = {
+    id: string;
+    tokenPrefix: string;
+    roleId: string;
+    schemaId: string;
+    schemaSlug: string;
+    createdAt: string;
+    expiresAt: string;
+    usedAt: string | null;
+};
+export type CreatedRealtimeSession = {
+    token: string;
+    session: RealtimeSessionRecord;
+};
+export type CreateRealtimeSessionInput = {
+    roleId: string;
+    schemaId: string;
+    schemaSlug: string;
+    ttlSeconds?: number;
+};
+//# sourceMappingURL=realtime-session-repository.type.d.ts.map

package/dist/realtime-session-repository.type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"realtime-session-repository.type.d.ts","sourceRoot":"","sources":["../src/realtime-session-repository.type.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,qBAAqB,GAAG;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,qBAAqB,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC"}

package/dist/realtime-session-repository.type.js

@@ -0,0 +1 @@
+export {};